CAR-2020-09-003: Indicator Blocking - Driver Unloaded
Adversaries may attempt to evade system defenses by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this analytic looks for command-line invocations of this utility when used to unload minifilter drivers.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| Impair Defenses | Indicator Blocking | Defense Evasion | Low |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | command_line |
Implementations
Pseudocode - fltmc invocation (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create
fltmc_processes = filter processes where (
exe = "fltmc.exe" AND command_line = "*unload*")
output fltmc_processes
Splunk search - fltmc invocation (Splunk, Sysmon native)
This Splunk search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
index=client EventCode=1 CommandLine="*unload*" (Image="C:\\Windows\\SysWOW64\\fltMC.exe" OR Image="C:\\Windows\\System32\\fltMC.exe")
LogPoint search - fltmc invocation (Logpoint, LogPoint native)
This LogPoint search looks for process create events for the fltmc.exe utility and the specific command line used to unload minifilter drivers.
norm_id=WindowsSysmon command="*unload*" (image="C:\Windows\SysWOW64\fltMC.exe" OR image="C:\Windows\System32\fltMC.exe")